1. Field of the Invention
The present invention relates to a communication system. More particularly, the present invention relates to an apparatus and a method for performing user authentication by proxy.
2. Description of the Related Art
The recent increase in the concern about the protection of personal information has been accompanied by a remarkable increase in the concern about the Open IDentifier (Open ID) service which enables a user to login to multiple Internet sites through a single IDentifier (ID), so as to minimize leakage of personal information. The Open ID service refers to a service in which a third party Internet service provider performs authentication of a user by proxy for an Internet service provider when the user accesses an Internet site of the Internet service provider. Therefore, a user can access all sites supporting the Open ID service with completion of authentication in only one site in which the user trusts, without making and managing a new account whenever the user visits each site.
FIGS. 1A and 1B are signal flow diagrams illustrating a process of authenticating a user by using an Open ID service in a communication system according to the related art.
Referring to FIGS. 1A and 1B, a mobile communication service provider 100 manages a Home Subscriber Server (HSS)/Home Location Register (HLR) 102 for managing subscriber information, a Bootstrapping Server Function (BSF) unit 104 for actually authenticating a user 130, and an Open ID Provider (OP)/Network Application Function (NAF) unit 106.
An Internet Service Provider (ISP) 110 manages a Relaying Party (RP) 112 which performs authentication of a user in cooperation with a third party organization.
A mobile station 120 manages a Browsing Agent (BA) providing a web browser and an Authentication Agent (AA) providing an authentication service, and the BA and AA are dealt with as a single integrated element, i.e., a BA/AA 122, in the following description.
The user 130 accesses the ISP 110 by executing a web browser of an Internet site which the user wants to access through the BA/AA 122 in step 140. Further, when there is a request for access information from the Internet site which the user wants to access, the user 130 selects a mode for authenticating the user by using an Open ID service. Then, the user 130 inputs identification information, e.g., a User Supplied Identifier (e.g., USI), to be used in a third party organization which performs user authentication by proxy through the Open ID service in step 142. The identification information may include a Uniform Resource Identifier (URI), a Uniform Resource Locator (URL), an Extensible Resource Identifier (XRI), or a Mobile Station International Subscriber Directory Number (MSISDN), as well as the USI. Further, FIGS. 1A and 1B are based on an assumption that the third party organization is the illustrated mobile communication service provider 100.
The RP 112 of the ISP 110 extracts an OP address of the third party organization which performs user authentication by proxy from the identification information input by the user 130 in step 144, and sets a security providing communication link with the third party organization, i.e., the mobile communication service provider 100 in step 146. In order to set the communication link, the Diffie Hellman (DH) key exchange scheme may be used, although it is optional to use this scheme.
Further, the RP 112 of the ISP 110 transmits the web browser of the Internet site which the user 130 wants to access, the USI input by the user 130, and an authentication request through an Open ID to the mobile station 120 in step 148, and the mobile station 120 transmits a Hyper Text Transfer Protocol (HTTP) Get Request message including the USI input by the user 130 and the authentication request through an Open ID to the OP/NAF unit 106 of the mobile communication service provider 100 in step 150. Then, the OP/NAF unit 106 starts to authenticate the user 130 in step 152. In this event, it is assumed that the OP unit 106 also performs an NAF of the mobile communication service provider 100.
The OP/NAF unit 106 of the mobile communication service provider 100 transmits a Hypertext Transfer Protocol Secure (HTTPS) Response 401 Unauthorized message, which notifies of the starting of the authentication, to the mobile station 120 in step 154, and the mobile station 120 transmits an HTTP Get Request message to the BSF unit 104 of the mobile communication service provider 100 as a response to the HTTPS Response 401 Unauthorized message in step 156. In this event, the HTTP Get Request message includes the USI input by the user 130.
The BSF unit 104 of the mobile communication service provider 100 acquires additional information used for the authentication of the user 130 from the HSS/HLR 102 in step 158, and the BSF unit 104 transmits a 401 Unauthorized message, which requests an Authentication and Key Agreement (AKA), to the mobile station 120 in step 160.
According to the request, the mobile station 120 performs an AKA algorithm in step 162 and transmits a Request Authorization Digest message including a result of execution of the AKA algorithm to the BSF unit 104 of the mobile communication service provider 100 in step 164.
The BSF unit 104 of the mobile communication service provider 100 determines the suitability of the mobile station based on the result of execution of the AKA algorithm received from the mobile station 120 in step 166, and transmits a 200 OK message including authentication key information according to a result of the determination to the mobile station 120 in step 168. The 200 OK message includes lifetime information for valid use of the authentication key in future processes. The mobile station 120 transmits the authentication information to the OP/NAF unit 106 of the mobile communication service provider 100 through an HTTP Get Request message in step 170.
The OP/NAF unit 106 of the mobile communication service provider 100 accesses the BSF unit 104 and requests information on the authentication key received from the mobile station 120 in step 172, and the BSF unit 104 provides the authentication key information to the OP/NAF unit 106 in step 174.
The OP/NAF unit 106 of the mobile communication service provider 100 determines whether the authentication key identified through the mobile station 120 and the authentication key information identified through the BSF unit 104 are identical to each other and, when they are identical, transmits the web browser of the Internet site, which the user 130 of the mobile station 120 wants to access, together with a result of the authentication, to the mobile station 120 in step 176, and the mobile station 120 transmits the result of the authentication to the RP 112 in step 178.
The RP 112 of the ISP 110 authorizes the authentication result in step 180, and displays the authorized authentication result to provide the user 130 with a service according to authentication success or failure in step 182.
The above description with reference to FIGS. 1A and 1B discusses a process of authenticating a user by using an Open ID service in a communication system according to the related art. However, in order to perform the process described above, there are 13 message transmissions or receptions between the mobile station 120 and the Internet site of the ISP 110, which includes steps 140, 142, 148, 150, 154, 156, 160, 164, 168, 170, 176, 178, and 182. Such a frequent message transmission or reception increases use of wireless traffic and thereby prolongs the time for login in view of the user. Therefore, there is a need for a scheme capable of minimizing the number of message transmissions or receptions and thereby minimizing the amount of time for login in view of the user. Further, there is a need for a scheme which enables a mobile communication service provider to secure economic compensation for wireless traffic used for the Open ID authentication.
Moreover, since the Open ID is mainly applied to a computer-centered web browser environment, there is a need to improve the Open ID service so that the Open ID can be used in an environment centered on application programs of the mobile station, such as a smart phone or a tablet computer.
The above information is presented as background information only to assist with an understanding of the present disclosure. No determination has been made, and no assertion is made, as to whether any of the above might be applicable as prior art with regard to the present invention.